Friday, February 23, 2018

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Feb 20, 2018

On 20 February 2018, Wapack Labs identified 9 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   

Reporting Period: February 20, 2018

Wapack Labs identified connections from 898 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Tuesday, February 20, 2018

Huawei and ZTE Phones and Other Devices – Security Up for Sale

TLP AMBER ANNOUNCEMENT: 

Huawei, a long time Chinese telecommunications equipment competitor to the U.S. Cisco Systems, has earned a reputation for selling equipment that contains various cybersecurity, intellectual property, and quality control issues. Wapack Labs concurs with U.S. government agencies that Huawei and ZTE equipment are a cause for concern when considering supply chain equipment. Huawei and ZTE have higher than normal rates of cybersecurity issues due to a range of root causes. The United States, United Kingdom, Canada, Australia and South Korea began instituting measures to limit Huawei, and ZTE equipment from being used relative to government and military related communications as far back as 2003. The warnings were issued via reports to the U.S. Congress from the Intelligence Community, with ZTE officially banned for use by U.S. government agencies in 2013. They further started instituting that government contractors and vendors also comply with contracting restrictions against vendor and contractor utilization of Huawei and ZTE equipment for security reasons even before the national security issues were made openly public in 2011...READ MORE

Wapack Labs has cataloged and reported on Huawei and telecommunications in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM


This TLP AMBER report is available only to Red Sky Alliance members.

Friday, February 16, 2018

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Feb 12, 2018

On 12 February 2018, Wapack Labs identified 88 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   

Reporting Period: February 12, 2018

Wapack Labs identified connections from 80 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Friday, February 9, 2018

AZORult Stealer

AZORult is a publicly available information-stealing malware that is popular among hackers. AZORult is delivered via phishing e-mails and with the use of Exploit Kits (EK), most notably the Rig EK. It collects information from victims by targeting a variety of applications for credential harvesting. In January 2018, Wapack Labs started analysis of AZORult nodes in an effort to identify stolen data. As part of this research, Wapack Labs gained insight into AZORult Command and Controls (C2). This report includes details on the AZORult malware and provides trending on the identified infrastructure. Wapack Labs analysts were able to recover over a million AZORult logs, which include data on victim IPs, e-mails, credentials, and attack server data. This information is listed in the Wapack Labs Blacklist Slack channel and searchable via our CTAC tool to provide situational awareness...READ MORE

Wapack Labs has cataloged and reported on AZORult malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Feb 06, 2018

On 06 February 2018, Wapack Labs identified 36 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   

Reporting Period: February 06, 2018
 
Wapack Labs identified connections from 1511 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Friday, February 2, 2018

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Jan 29, 2018

On 29 January 2018, Wapack Labs identified 647 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and three organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT: 
 
Reporting Period: January 29, 2018
 
Wapack Labs identified connections from 713 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Thursday, February 1, 2018

Hacker Shop Selling Exfiltrated Data

TLP AMBER ANNOUNCEMENT:

Wapack labs identified a hacker shop that sells batches of files exfiltrated from computers that belong to companies and corporations from various industries, such as a local law enforcement agency, financial institutions, mining companies, and logistic organizations. The shop's victims are located in several countries, though most are in the United States (US). It sells financial data sources, to include full credit card payment authorization forms. The shop has also exposed online banking check operations without obfuscation...READ MORE

Wapack Labs has cataloged and reported on hacker shops in the past. An archive of related reporting can be found in the Red Sky Alliance portal.  

 WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Tuesday, January 30, 2018

Recent Chinese Exfiltration Method Observed

Chinese nation state attackers (high confidence) recently used a Java web shell (Chropper.java), against a corporate network’s external web server, to download an unidentified malware payload. The initial breach against the server occurred on 15 December 2017, likely leveraging a Cold Fusion exploit. On 18 December 2017, attackers deployed a modified version of the web shell. The web shell came from a large collection of popular Chinese web shells uploaded to GitHub by a user who follows well-known Chinese security researchers. On 19 to 21 December 2017, the attack sequence took place, and was detected on the 21st. Once connected, the attackers executed a PowerShell script to execute a payload, which was never written to the disk. It established persistence, and injected into legitimate Windows processes, to enumerate all drive letters from C to Z, to identify all the mapped drives on the server...READ MORE

Wapack Labs has cataloged and reported on data exfiltration methods in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, January 26, 2018

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Jan 22, 2018

On 22 January 2017, Wapack Labs identified 922 unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and three organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT: 
 
Reporting Period: January 22, 2018
 
Wapack Labs identified connections from 834 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Wednesday, January 24, 2018

Iranian Protests: Propaganda War

Wapack Labs is monitoring the developments in the ongoing Iran protests. Wapack analysts continue to observe an increase in Internet restriction and disabling of communication applications; Facebook, Twitter, Telegram, Google, WhatsApp, and Signal. To date, ProtonMail’s free VPN service for Android phones, and Psiphon, an app that circumnavigates network firewalls, are the only means of providing anonymity for Iranian citizens. As information censorship increases, so too does pro-regime propaganda. The current climate in Iran may give way to Iranian-backed threat actors targeting the anti-regime demonstrators. Wapack Labs assesses, with moderate confidence, that the cyber activity will remain confined to Iran, but continues to monitor the situation for movement affecting our customer base...READ MORE

Wapack Labs has cataloged and reported on protests and cyber activity in Iran in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM